Thanks for the reply, I was thinking about cluster as more of an automatic check with less manual changes to the query. I will experiment a bit, and post a new question in a while. Thank you ... View more

I must have accidentally cleaned out your additional post: Can you just run this and see if it returns just the list of internal_message_id field which corresponds to attacker/sender from index=BBB? index=AAA sourcetype="Xmail" eventtype=X_email [search index=BBB sourcetype=Y_cef_syslog eventtype=Y suser=* | fields suser| rex field=suser "(?[\w\d\.\-\@]+)" | eval sender= lower(attacker) |table sender] | stats count by internal_message_id | table internal_message_id If above works fine without any problems, copy the above query into following format index=AAA [ search <> ] | table * Yes sir!!! that also works!!! Thank you! ... View more

|eval Time=strftime(_time, "%H:%M:%S") | eval Date=strftime(_time, "%A %F") This works too Thanks! ... View more

It sounds like you do not have the app installed. The links below should help you. The search head should have only the app installed (do not install the app and TA on the search head). Use only the TA for everything else. The link to the configuration guide at the bottom should help you configure everything and send test events to Splunk so you can see what is parsed. App: https://splunkbase.splunk.com/app/1845/ TA: https://apps.splunk.com/app/1904/ Configuration guide: https://www.fireeye.com/content/dam/fireeye-www/global/en/partners/pdfs/config-guide-fireeye-app-for-splunk-enterprise.pdf If you have other issues, please feel free to send me an email via the Help -> Send Feedback link within the FireEye Splunk app. ... View more

Thank you for your awesome response, that will get me going. ... View more

Thank you sir. That will work. I have learned a lot from you today. Thank you. ... View more

thank you for the response ... View more

Sweet!!!! it works great! Thank you ... View more

I doubt its a data issue... but some more help here for you. When you run the search you can click on "job" drop down, then click on "inspect job", then look at "normalized search". It should look like this: litsearch index=main ( ( component="ExecProcessor" ) OR ( component="HttpPubSubConnection" ) OR ( component="HttpPubSubConnection" ) OR ( component="Metrics" ) OR ( component="Metrics" ) ) | fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server" Or similar if you run a subsearch like this: index=main [search index=_internal component=* | head 5 | table component] You'll see where it's adding a large OR clause to the main search. Now if the subsearch returns 0 results then the normalized search will look like this instead: litsearch NOT () | fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server" And that's obviously borked. Try the approach above and see if you can spot the error in your normalized search. ... View more

¯\_(ツ)_/¯ ... View more

Hi Ryan, you are correct with your answer and I apologize for the confusion on this question. I did not properly test a matching condition. When a matching condition occurs all fields populate. Thank you for your help. ... View more

index=msad | eval reformattedDomain = replace(replace(questionname,"\(\d+\)","."),"\.(.*)\.","\1") |stats count by reformattedDomain |lookup malware_domainsdm.csv domain AS reformattedDomain | eval domainmatch=if(reformatedDomain==domain, "bad", "good") This gets me closer but I am having trouble populating the other malwaredomaindm.csv fields like category, date, and reference. Any ideas? Thank you ... View more

It is a permission issue, when I get that sorted I will give you my result about the .conf file. Thank you ... View more

Thank you Martin, your first option works. The searchtxn I have not confirmed yet, but I will keep working on it. Thank you for all the help!!! ... View more

Hi Muebel, Thank you for the information and I will look into this. What I am really looking for is creation dates on sender domains I extract from email logs. I want to automate it, so that as Splunk searches and filters the sender domains, I get a result like sender = johndoe@somecompany.com sender_domain = somecompany.com domain_creation date = 02Feb2016 (as an example). Please let me know if you have any insight on this goal, while I read thru the link you provided. If you think I need to use a python script and pay for an API, then please advise. Thank you ... View more

index=mail sourcetype=xemail [search index=mail sourcetype=xemail subject = "Blah" |stats count by UID| fields UID] | rex field=sender "[@\.](?<domain>\w+\.\w+)$" | stats list(subject) as subj list(sender) as sender list(recipient) as recp list(vendor_action) as status by UID | search status= "Message done" | lookup watch_list.csv domain as sender_domain OUTPUT flag | eval on_watch_list=if(flag=1,"yes","no") | fields - flag |eventstats count(eval(on_white_list = "yes")) as total_on_white_list This seems to work with some tweaks but I am not sure if it the best way to do it. Any tips or comments appreciated. ... View more

This works now too. Thanks ... View more

Hello, I was the same problem with Mysql module that I was install on my Centos server Splunk didn't work with this library, because splunk has they own python library...then you can fix it only added on the begin your script all libraries of python and also you must to add the python Centos library too... as this way Find python packages [root@xxxx]#find / -name site-packages /usr/lib/python2.7/site-packages /usr/lib64/python2.7/site-packages /opt/splunk/etc/apps/Splunk_SA_Scientific_Python_linux_x86_64/bin/linux_x86_64/lib/python2.7/site-packages /opt/splunk/lib/python2.7/site-packages Find python binary [root@xxxx]# whereis python python: /usr/bin/python2.7 /usr/bin/python /usr/lib/python2.7 /usr/lib64/python2.7 /etc/python /usr/include/python2.7 /opt/splunk/bin/python /opt/splunk/bin/python2.7 /usr/share/man/man1/python.1.gz include all at begin your script import sys sys.path.append('/usr/bin/python2.7') sys.path.append('/usr/lib/python2.7/site-packages') sys.path.append('/usr/lib64/python2.7/site-packages') And that's it , you can run mysql module without any problem and create your alerts with this module. Mysql Connection import mysql.connector I hope that this fix will help you Joel Urtubia Ugarte ... View more

| eventstats count(eval(on_watch_list = "yes")) as total_on_watch_list works great!!! Thank you! ... View more

Thank you!!! ... View more

even better! did you write an SPL book? ... View more